Hacking the 0-day Supply Chain

February 9th, 2016

I’ve been thinking about security and the supply chain a lot lately, likely for obvious reasons to anyone in the information security industry. It’s a perennial weak link, and often we’ve done the barest of due diligence in ensuring our partners, suppliers, and even customers have properly secured systems and applications that could lead to attacks against our own infrastructure.

There are lots of types of supply chains, though, and one I’ve been mulling over recently is the entire bug hunting/bug bounty industry. If I were an attacker or group with significant skill and resources, I’d focus on the bug bounty supply chain – why bother finding bugs when I could just steal them from Charlie Miller or Tavis Ormandy? I’m not calling either of these gentlemen out for any reason, obviously, other than their fame at finding and demonstrating flaws.

What about the rest of this supply chain? Companies like HackerOne and bugcrowd have access to many talented researchers, although I’m guessing they don’t store exploits (at least not for long). Even then, the wealth of data about bugs, researchers, and more would be well worth the effort for any sophisticated adversaries.

Finally, targeting the security teams that handle bug submissions at vendors would be another excellent choice for any adversary. These folks have to validate bug submissions, often with POC code, and they would certainly make great targets for attackers looking to shortcut the process of discovering flaws.

What responsibilities do researchers have to keep this information safe? Obviously they want to protect their own stuff, and any brokering firm would do the same, but as the Hacking Team debacle showed us, someone is more than willing to steal your exploits and put them to good use.

You know what I think would be a great talk at a conference? Not another “I found a bug” talk. I think people would be interested in how researchers defend themselves, given that they’re prime targets today. I’m sure these folks get attacked regularly, and hearing about how they protect their research would be fascinating.